Local applications from user's computer can listen for webhooks via insecure gRPC server from stripe-cli

The stripe daemon command from the stripe-cli exposes a local gRPC server that does not require authentication and allows any local application to execute remote procedures. One of the procedures is Listen, which is an equivalent to stripe listen command and receives all webhooks for the user's account. To exploit this issue, the attacker must have another application installed on the victim's computer. Once the attacker executes the remote procedure, webhooks from the victims account are sent to the attacker. In response to this report, we removed some information delivered via the webhook. We have otherwise accepted the risk due to physical access, man-in-the-middle, or previous compromise as a prerequisite to this attack.